Extend secure, automated branch office networking to AWS with Cisco SD-WAN Cloud OnRamp

According to a Cisco study, by 2021, there will be 20 zettabytes of traffic between the DC/branch to the clouds, as companies use popular public cloud platforms like Amazon Web Services (AWS). Meanwhile, “IaaS is forecast to grow 24% year over year, which is the highest growth rate across all market segments,” according to Gartner.

However, while a cloud strategy creates more agility, it also presents challenges for IaaS deployments. Below are three primary concerns cloud users face regularly:

Inconsistent connectivity

Large-scale networks may traverse multiple slow public and/or expensive private connections to get to the cloud deployments, while smaller networks may need to battle out a slow, jittery internet to get to the clouds. In either case, customers will need to find the fastest and most reliable link while confirming a secure transport.

Complexity with governance

No real uniformity exists as to how different platforms handle their governance and compliance. This maze of rules and frameworks can create consistency problems with companies trying to utilize more than one cloud platform, especially with (but not exclusive to) IaaS. Finally, each cloud vendor has its own policy, security and segmentation process. These variances from vendor to vendor add another layer of complexity that must be managed.

Visibility problems

Different cloud platforms also use various protocols for analytics, metrics and insights. This variance can effectively reduce visibility for companies, making it more challenging to optimize usage across the network.

Cisco’s SD-WAN Cloud OnRamp automates and optimizes the enterprise SD-WAN to IaaS and SaaS

Cloud OnRamp is a cloud networking solution and a functionality of Cisco SD-WAN through which enterprises can network their branch sites to workloads deployed in cloud environments. Cloud OnRamp provides seamless, secure and automated networking for IaaS as well as an optimized experience for various SaaS applications.

One proven way to overcome the challenges of a cloud strategy is by implementing a consistent fabric across a company’s entire WAN network using Cisco SD-WAN Cloud OnRamp. Cisco SD-WAN provides a secure WAN architecture that can extend consistent policy enforcement, segmentation and security across both on-premises and cloud networks. Cloud OnRamp simplifies the experience further through the power of automation, using vManage as the single pane of glass management platform to create a SD-WAN transit network in the cloud provider’s environment.

Advantages of Cisco SD-WAN Cloud OnRamp

◉ Greater automation — With Cloud OnRamp, users can expect to automate SD-WAN extension to the cloud in minutes with just a few clicks.

◉ Improved security – Cloud OnRamp reduces security risks by leveraging graular segmentation and streamlined policy enforcement that can control and segment the traffic that flows through the network, guarding against external and internal threats to the data.

◉ Ease of management – Cloud OnRamp provides end-to-end data sharing between cloud and branch and establishes inter-regional visibility across transit data and network telemetry.

Cisco SD-WAN Cloud OnRamp Integration with AWS Transit Gateway

Cisco has partnered with AWS to provide end-to-end solutions for joint customers to create the best possible user experience. Customers benefit from fully automated networking to workloads in AWS Cloud and native integration between Cisco SD-WAN and AWS Transit Gateway and Transit Gateway Network Manager.

Sneak peek of the new features and benefits:

◉ Fully automated Cisco SD-WAN fabric extension to AWS Cloud: instead of spending hours of time per region and going through error-prone manual processes, now enterprise customers can bridge their branches to AWS workloads through a fully secure Cisco SD-WAN network in just minutes.

◉ Single pane of glass management through Cloud OnRamp: jumping back and forth between different management consoles of Cisco and AWS to orchestrate networking resources can be challenging and ineffective. With this new integration, enterprise customers will be able to manage both the Cisco SD-WAN virtual router and AWS Transit Gateway through Cloud OnRamp.

◉ Extending enterprise segmentation to AWS Cloud: one important aspect of secure networking is to ensure consistent enterprise segmentation across the entire network. By using the GUI-based Intent Management feature in Cloud OnRamp, enterprise customers can easily manage VPN to VPC and VPC to VPC communications through simple clicks.

◉ End-to-end visibility: by populating elements of both the SD-WAN network and AWS cloud network into AWS Network Manager, enterprise customers will have a unified and visualized view of both branch and cloud sites.

Watch AWS, Cisco and joint customer ENGIE discuss the benefits of integrating Cisco SD-WAN with AWS Transit Gateway Network Manager in a recent webinar and learn how to get started.

With more than half of enterprise workloads expected to be deployed in public clouds within the next year, cloud computing is a growing opportunity and challenge for today’s enterprises. By deploying an integrated solution like Cisco’s Cloud OnRamp for IaaS, companies will stay competitive by making their cloud strategy more productive, consistent and secure.

Continue reading

SD-WAN Security: Built-in is Better than Bolt-on

Securing enterprise data and business applications is undoubtedly at the forefront of every IT professional’s mind. However, efforts to secure data and applications competes with the priority to open up resources for a distributed workforce by moving applications and data to multiple cloud and SaaS platforms. It’s the task of the Wide Area Network (WAN) to securely connect cloud apps to the workforce on campus and branch sites. Unfortunately, by circumventing the security layers of the enterprise data center and using direct internet connections, data and devices can be exposed to a host of threats.

Secure, cloud-scale Software-Defined Wide Area Networks (SD-WAN) address these challenges with a designed-in set of features that combines security at scale with implementation flexibility. SD-WAN addresses flexibility with transport independence, enabling connections over direct internet broadband, MPLS circuits, and LTE/5G. Multiple connection types can carry traffic simultaneously so that the best path is automatically selected for optimal application experience, as well as for instant failover protection.

In addition to flexibility, I believe organizations need to address security holistically, with end-to-end networking approach that embeds security layers directly into the SD-WAN fabric along with intelligent analytics to measure and maintain application quality of experience (QoE). Let’s look at three capabilities that SD-WAN needs to have to successfully provide security along with ubiquitous connectivity and high levels of application experience for distributed enterprises.

1. SD-WAN provides security without compromising flexibility, simplicity, and application experience.

By unifying security and networking, enterprises get the flexibility they need with the application experience they want. IT gets simplicity of centralized administration to manage distributed resources. Integrating flexible, transport-independent WAN capabilities with full stack security, all managed from one cloud portal, reduces the inevitable complexities that result from installing, configuring, and managing products from multiple vendors with multiple interfaces. Branch sites gain direct internet access to cloud applications with protection against threats originating from the internet.

SD-WAN flexibility and security can be extended to colocation facilities and cloud platforms to provide connectivity to regional branch sites and minimize the attack surface without deploying edge hardware to each site. Applying unified security and segmentation policies through SD-WAN through a cloud colocation platform keeps personal data regional to help meet regulatory and privacy requirements.

With the ability to centrally manage both the SD-WAN fabric and integrated security stack from a central cloud portal, IT can focus on providing the best application experience for the workforce. SD-WAN Cloud OnRamps for SaaS platforms, for example, provide performance specifically tuned for cloud applications such as Office 365, directing traffic from branches to the closest cloud gateways to meet pre-defined SLAs, and simplifying both connection management and access security.

Cisco’s integrated security solution provides the best balance of security and user experience for direct internet access Direct Internet

2. Security is an embedded full-stack solution, not an add-on.

As data leaves the control of tightly-managed data centers and spreads to multiple cloud and SaaS platforms, security controls have to be at the forefront of the network design. When considering the capabilities of an SD-WAN solution, look for a fully-integrated security stack that includes an application-aware enterprise firewall, intrusion prevention, advanced malware protection, and URL filtering operating at the edge or the cloud.

Be aware that when similar security layers are implemented as bolt-on sets of third-party point solutions, they must be individually integrated and managed, requiring additional IT training and time to unify them.

3. Protect data and applications with on-premise or cloud-based security

Where a SD-WAN security stack is deployed is less about the efficacy of protecting data than providing flexibility to adapt to changes in an organization’s operations. A holistic end-to-end solution that encompasses on-premise as well as cloud security—including integration with third-party security vendors—provides maximum flexibility.

◈ On-box security at each branch edge router, for example, provides flexibility to tailor each instance to branch-specific security, routing, and access policies—guest access, direct internet permissions, VPN tunnels—to meet business requirements.

◈ Easy-to-implement cloud-delivered security gateways, such as Cisco Umbrella, monitor traffic and apply security policies to guard against accessing known malicious sites, phishing attacks, and ransomware infections.

◈ SD-WAN with security as Virtual Network Functions (VNFs) hosted in colocation facilities provide connectivity for many regional branch sites with the same capabilities as on-premise branch implementation, along with unified security and segmentation policies to protect and keep data regional to meet regulatory and privacy requirements.

◈ SD-WAN built-in security is enhanced with knowledge derived from Cisco Talos, the leading cyber threat intelligence team, that constantly monitors emerging threats worldwide and automatically updates SD-WAN security solutions with proactive and actionable resolutions.

Security without Compromise

These three capabilities provide a foundation for evaluating an SD-WAN’s fit in an enterprise’s secure WAN architecture. Since security is a must-have to protect sensitive business data, and application performance is equally important to keep a workforce productive and meet customer experience levels, the two cannot be exclusive—there can be no compromise.

While implementing a flexible, high-performing SD-WAN solution solves a myriad of challenges, without built-in security, every connected resource is at risk. Likewise, installing the best security solutions without a flexible, dependable SD-WAN fabric to optimize application performance doesn’t provide the enterprise workforce with the information they need at the right place at the right time.

To successfully transition enterprise resources to cloud and SaaS computing, an SD-WAN architecture must encompass the best of both security and application performance. An end-to-end software-defined networking architecture embeds security directly into the SD-WAN fabric to provide the optimal solution for IT and a distributed workforce.

Continue reading

Optimizing Multi-Cloud Connectivity with Cisco SD-WAN Cloud onRamp for Colocation

Enterprises are busy implementing SD-WAN to provide cost-effective, secure, and application-aware connectivity to multiple cloud platforms for branches and remote offices. The results are clear: a distributed workforce obtains superior Quality of Experience (QoE) for multi-cloud and SaaS applications with a full security stack built-in to the edge routers to protect data and privacy. Choosing direct internet or direct cloud connectivity options reduces latency to provide appropriate levels of QoE for SaaS applications while eliminating the expense of backhauling all branch traffic to distant enterprise data centers. For many organizations with a network of remote sites, implementing Cisco SD-WAN at each branch is a perfect union of control, cost effectiveness, and security.

However, aggregating access to multi-cloud applications from multiple branches to regional CoLocation facilities may be a better solution for:

◈ Multi-national organizations that prohibit using direct internet connections to cloud and SaaS platforms at the branch level due to data security restrictions and international privacy regulations for cross-border sharing of personal information.

◈ Global organizations, such as financial institutions, that often have thousands of branch offices spread over multiple geographic regions, each one requiring high application QoE with granular security over traffic segmentation and application access; providing each site with an edge router may not be the most cost-effective implementation.

◈ Partners and vendors, who are not using SD-WAN, still need connectivity to their customers’ enterprise resources and applications but do not want to install a customer’s SD-WAN routing appliance in each of their sites to provide secure access.

◈ Remote workers—at home offices or mobile—need secure VPN connections to enterprise resources over inexpensive direct internet links without backhauling traffic to a VPN firewall at a central data center and incurring additional latency that affects application performance and voice/video quality.

In these cases, it can be more efficient and economical to regionalize SD-WAN services in colocation facilities that are physically closer to the branches and often may even host the cloud resources they need to access. Creating a software-defined virtualized multi-cloud onRamp for CoLocation facilities to serve groups of regional branch offices, partners, and a remote workforce, provides consolidation, control, and security for large distributed organizations and those with regulatory compliance challenges.

Consolidation, Control, and Security

To simplify the deployment and management of SD-WAN for multiple branches distributed over several regions, Cisco is introducing the Cisco SD-WAN Cloud onRamp for CoLocation. This new capability expands Cisco SD-WAN onRamp features that make it easy to optimize IaaS and SaaS performance. The platform of virtualized network functions (VNFs) and trusted hardware runs in a colocation facility to provide connectivity to multi-cloud applications, along with an integrated security stack and cloud orchestration for remote management.

A typical use case for implementing a Cloud onRamp for CoLocation is an enterprise that has dozens of distributed branch offices, clustered around major cities, spread over several countries. The goal is to tie each branch to enterprise data center databases, SaaS applications, and multi-cloud services while meeting SLAs and application QoE expectations. Each region encompassing the target cities uses a colocation IaaS provider that hosts the Cisco Cloud onRamp for CoLocation, which consists of physical and virtual components:

◈ Cisco SD-WAN vManage for centralized management of the SD-WAN Fabric, the Cloud onRamp for CoLocation feature makes it easy to manage policy and deploy VNFs in a colocation facility.

◈ Cisco Cloud Services Platform (CSP) 5444 for hosting the VNFs.

◈ Cisco Catalyst 9500-40 Switches provide multi-gigabit backplane switching to VNFs, redundancy, inbound/outbound WAN connectivity, and access to colocation management tools.

With Cisco SD-WAN Cloud onRamp for CoLocation operating regionally, connections from colocation facilities to branches are set up and configured according to traffic loads (video vs web browsing vs email), SLAs (requirements for low latency/jitter), and Quality of Experience for optimizing cloud application performance. Each branch or private data center is equipped with a network interface that provides a secure tunnel to the regional colocation facility. In turn, the Cloud onRamp for CoLocation establishes secure tunnels to SaaS application platforms, multi-cloud platform services, and enterprise data centers. All traffic is securely routed through the Cloud onRamp for CoLocation stack which includes security features such as application-aware firewalls, URL-filtering, intrusion detection/prevention, DNS-layer security, and Advanced Malware Protection (AMP) Threat Grid, as well as other network services such as load-balancing and Wide Area Application Services.

The platform also enables non-SD-WAN-managed traffic from partners, for example, to funnel through the colocation facility on the way to other branches, data centers, or SaaS applications, taking advantage of the Cloud onRamp’s security and policy management. A remote-office or mobile workforce can use SSL VPN tunnels to access the colocation facility directly, and from there the services and platforms connected via the SD-WAN. If a partner organization has an existing physical link to the colocation facility, the Cisco Cloud onRamp for CoLocation is capable of terminating the link to join the service chain.

Multi-Cloud, Multi-SaaS Connectivity with Security and Trust

With virtualized Cisco SD-WAN running on regional colocation centers, the branch workforce has access to applications and data residing in AWS, Azure, and Google cloud platforms as well as SaaS providers such as Microsoft 365 and Salesforce—transparently and securely. Distributing SD-WAN functionality over a regional architecture also brings processing power closer to where data is being generated—at the Cloud Edge. It’s at this intersection of the network, cloud, and security where businesses face greater risks, inconsistent application performance, and increasing complexity. The Cisco Cloud OnRamp for CoLocation applies consistent security policies across branches, devices, and people depending on authorized access requirements, even when multiple service providers are routing traffic.

With the SD-WAN functionality hosted in a colocation facility, ensuring that router appliances and software are original Cisco products and have not been tampered with at any stage of installation and operation is a critical consideration. That’s why Cisco embeds an encrypted Secure Unique Device Identifier (SUDI) in tamper-resistant silicon in SD-WAN router appliances. This foundational level of trust is complimented with VNF image signing, secure boot, and the Cisco Secure Development Lifecycle to ensure software and hardware are tamper-proof. With this built-in level of trust established, IT can remotely configure and manage Cisco Cloud onRamp for CoLocation installations from the other side of the world with confidence that the target Cisco hardware and software are original and uncorrupted.

Open Architecture Integrates Third-Party Functionality

Recognizing that enterprises with distributed workforces and regional offices often rely on a variety of networking products, the Cisco Cloud onRamp for CoLocation has an open architecture, enabling third-party VNFs to integrate with the SD-WAN fabric. For example, even though Cisco SD-WAN comes with an integrated security stack, an organization may already have trained and programmed a third-party security firewall or Intrusion Protection solution and wish to integrate those services in each Cloud onRamp for CoLocation. Other VNFs such as Load Balancers and Web Application Security can be added as needed to conform to an enterprise’s existing configurations and security policies. The Cisco Cloud onRamp for CoLocation fully supports custom applications as well, using a custom packaging tool to bundle the specialized apps and integrate them into a service chain.

Secure Multi-Cloud Connectivity—Everywhere You Need It

Whether deploying SD-WAN at the cloud edge to serve an individual branch office or via colocation facilities to serve multiple regional sites, Cisco provides simplified orchestration and automation of enterprise WAN service chains. Our software-defined architecture ties together a distributed workforce with multi-cloud applications using VNFs that can be rapidly provisioned and expanded on flexible colocation platforms to meet evolving business needs and regulatory requirements. Keeping regional offices connected and productive is more cost effective and easier to manage than ever.

Continue reading

Rapid Evolution of Cisco SD-WAN is a Revolution for Enterprises with a Cloud-First Strategy

Just a few years ago, software-defined wide area networking (SD-WAN) was a “new” technology just breaking into the awareness of the IT market. It arrived at the time when enterprises were changing from moving applications and data to “a” cloud platform, to expanding to multiple clouds. SaaS application providers for CRM, HR, finance, and supply chain were firmly established as critical business resources that need to be accessible from anywhere via direct internet connections.

These were all positive changes, but not without a certain amount of pain. In particular, the traditional WANs were struggling with these new demands. The WAN architecture worked well when all connections from branches and a distributed workforce flowed back to a central data center through MPLS lines, where security policies were also applied. But the hub and spoke WAN architecture broke down as more direct internet connections were needed to access multi-cloud resources and SaaS applications. Continuing to backhaul all traffic to data centers before routing to internet cloud applications results in increasing MPLS costs, bandwidth inefficiencies, increased latency, and poor application quality of experience. In addition, WANs were often composed of components from multiple vendors, limiting the visibility and control over performance and troubleshooting.

SD-WAN was designed to answer these challenges. The technology provides methods to prioritize critical business traffic and take advantage of internet broadband connections—previously used for backup and redundancy—to connect directly to multicloud resources. SD-WAN simplifies the management of the wide area network fabric with a controller-first overlay that is independent of transport layers—MPLS, Ethernet, internet, leased lines, DSL, LTE networks, and soon 5G. SD-WAN controllers intelligently choose among the available transport mediums to deliver the best application performance as defined by IT service level agreements (SLA).

The Evolution of Cisco SD-WAN

In the early stages of SD-WAN, engineers at Viptela developed a flexible SD-WAN architecture based on cloud management and controllers (vManage and vSmart) and virtualized network function edge routers (vEdge). Their version of SD-WAN followed the same software-defined architecture as Cisco’s Digital Network Architecture (DNA), separating the Data, Control, and Management Planes for maximum flexibility. Viptela’s architecture made it a natural extension to Cisco’s Intent-Based Networking vision. Viptela’s visionary team and technology were acquired by Cisco two years ago this week—August 1st to be precise. Rapid innovations and integrations have been ongoing ever since.

Many of the innovations we’ve added come from listening to our enterprise customers who are seeking a solution to unite multi-domain cloud resources across a distributed organization. We hear that they need ways to simplify the interconnection of the domains with unified access and security policies applied across campus, branch, and cloud. Let’s look at the capabilities we’ve added to make Cisco SD-WAN powered by Viptela an enterprise-class platform that meets these needs and more.

Looking Deep Inside SD-WAN Operations

Networks are becoming much more complex as organizations tie data centers, remote branches, and a distributed workforce with multi-cloud applications using connectivity options like direct internet and LTE that are outside the direct control of IT. Therefore, it’s important to be able to see inside the WAN to monitor, measure, and adjust the parameters affecting performance. That’s why one of the first capabilities Cisco added to the SD-WAN stack was Cisco vAnalytics, a cloud-based tool for monitoring and analyzing SD-WAN performance via the vManage portal. vAnalytics provides specific information that enables IT to readily monitor bandwidth usage, application performance, and detect anomalies based on baseline application usage. Going forward, vAnalytics will incorporate more artificial intelligence and machine reasoning, as was recently introduced in Cisco AI Network Analytics.

Expanding SD-WAN to Cisco ISR/ASR Edge Routers

When considering a new technology, IT leaders prefer to avoid the need to “rip and replace”. Cisco alleviates that concern by making SD-WAN available to run on over a million ISR/ASR routers that are already serving branches and campus networks worldwide. Cisco IOS XE, released a year ago, provides an instant upgrade path for creating cloud-controlled SD-WAN fabrics to connect distributed offices, people, devices, and applications operating on the installed base of ISR/ASR routers. At the same time, we added the ability to run SD-WAN as virtualized network functions in a cloud provider’s IaaS platform, providing even more flexibility to quickly extend SD-WAN to the cloud.

SD-WAN Full Stack Security Protects Branch Data and Cloud Applications

When using the internet to connect branches and remote employees with cloud applications, sensitive data could pass over multiple networks outside of the control of IT, increasing security risks. Protecting the data while making it available on-demand to the workforce presents a series of technical and enforcement challenges.

To allay those concerns, Cisco, one of the top worldwide providers of network security solutions, integrated full-stack security into SD-WAN running on edge routers. Cisco SD-WAN Security is built-in, not composed of separate bolted-on components from a disparate variety of vendors, making security easy to manage via the vManage cloud portal. By integrating an application-aware firewall, intrusion detection and prevention, advanced malware protection, and Cisco Umbrella DNS cloud security layer, data security is easily and consistently maintained across branches.

In addition to securing branch and distributed workforce connections, IT wants to holistically address security concerns across multiple domains. That means setting access and security policies once and having them permeate the enterprise across data center, campus, and branch, to the cloud edge where IoT devices increasingly need to do local processing. Because Cisco designs security using an end-to-end perspective, creating cross-domain policies is not only possible, but a necessary capability as applications, data, and devices become more distributed and the workforce more mobile. Cisco is enabling unified policy management by linking ACI in the data center with SD-Access in the campus and SD-WAN for branches so that segmentation and security are applied consistently all the way from people and devices to the application hosting cloud platforms.

SD-WAN Cloud OnRamp for CoLocation Consolidates Regional Branch Connectivity

With SD-WAN making it simpler to configure and manage connections from branches to cloud resources, it’s just one more step to consolidate many regional branches under a common colocation facility. Creating an onramp connection from each of many branches to a colocation facility hosting a virtualized SD-WAN reduces the need for edge routers at each location and centralizes the management while providing all the same security and transport layer options.

In many cases, the target cloud providers and SaaS applications reside in the same colocation facility, thus shortening the paths and reducing latency to further improve application performance for potentially dozens to hundreds of branches. Additional virtualized SD-WAN instances in the colocations can also be quickly spun up to connect new branches as quickly as needed. SD-WAN Cloud OnRamp for CoLocation joins Cisco’s Cloud OnRamp for IaaS and SaaS to extend connectivity management from branches to multiple cloud platforms to provide granular control over application quality of experience via vManage.

Evolution of SD-WAN Continues for Revolutionary Results

All these innovations integrated into Cisco SD-WAN powered by Viptela are fundamental to building an Intent-Based Network. Built-in network intelligence translates business intents into network actions that provide consistent access policies, security for devices and data, and a high-quality application experience for a distributed workforce. Integrating multicloud compute resources with cross-domain access drives a revolution in business as enterprises strive to connect information to people anywhere at any time to improve employee productivity and customer experience.

National Instruments, an international leader in test and measurement systems, implemented SD-WAN to solve a number of IT and business problems. Like many organizations with a globally distributed workforce, the network supports communication services, software distribution, and access to applications and data resources among worldwide sites. The existing WAN greatly constrained video conferencing, slowed large software transfers, and couldn’t provide acceptable application performance. Implementing SD-WAN turned those issues around by:

◈ Reducing MPLS spending by 25% while increasing bandwidth by 3,075%.

◈ Categorizing traffic by function and type, sending backup traffic over the Internet under an SLA, eliminating bandwidth bottleneck on MPLS circuits.

◈ Reducing the time for software updates to replicate across the network from 8 hours to 10 minutes.

◈ Adding new internet-based services used to take months, with the agility of SD-WAN new services can be deployed in the cloud immediately.

◈ Eliminating the need for call admission controls and limiting video quality for conferencing

Enterprises are gaining advantages such as these by upgrading their aging WAN technology to SD-WAN. It’s not just cost savings by supplementing or replacing MPLS with direct internet connections that is motivating the transition to software-defined WAN architecture. It’s also about gaining flexibility and stability with intelligent, continuously monitored connections to multicloud resources and SaaS applications that are fueling the transition. In a software-defined world, people, devices, applications, and data are all securely connected to ensure organizations run efficiently as they tackle digital transformation projects. How will you use SD-WAN to support your digital revolution?

Continue reading

Improve Office 365 Connectivity with Cisco SD-WAN

As more applications move to the cloud, the traditional approach of backhauling traffic over expensive WAN circuits to the data center or a centralized Internet gateway via a hub-and-spoke architecture is no longer relevant. Traditional WAN infrastructure was not designed for accessing applications in the cloud. It is expensive and introduces unnecessary latency that degrades the user experience. The scale-up effect of the centralized network egress model coupled with perimeter stacks optimized to handle conventional Internet browsing often pose bottlenecks and capacity ceilings, which can hinder or bring to a stall customer transition to the SaaS cloud.

As enterprises aggressively adopt SaaS applications such as Office 365, the legacy network architecture poses major problems related to complexity and user experience. In many cases, network administrators have minimal visibility into the network performance characteristics between the end user and software-as-a-service (SaaS) applications. ‘One size fits all’ approach focusing on perimeter security without application awareness, which legacy network architectures often have, do not allow enterprises to differentiate and optimize sanctioned and more trusted cloud business applications from recreational Internet use, resulting the former to be subject to expensive and intrusive security scanning further slowing down user experience.

Massive transformations are occurring in enterprise networking as network architects are reevaluating the design of their WANs to support a cloud transition, reduce network costs, increase visibility and manageability of their cloud traffic, while ensuring an excellent user experience. These architects are turning to software-defined WAN (SD-WAN) to take advantage of inexpensive broadband Internet services and to find ways to intelligently route trusted SaaS cloud bound traffic directly from remote branches. Cisco SD-WAN fabric is an industry-leading platform that delivers an elegant and simplified secure, end-to-end hybrid WAN solution that can facilitate policy based, local and direct connectivity from users to your trusted, mission critical SaaS applications, such as Office 365, straight from your branch office. Enterprises can use this fabric to build large-scale SD-WAN networks that have advanced routing, segmentation, and security capabilities with zero-touch bring-up, centralized orchestration, visibility and policy control. The result is a SaaS cloud-ready network that is easy to manage and more cost-efficient to operationalize and that empowers enterprises to deliver on their business objectives.

A fundamental tenet of the Cisco SD-WAN fabric is connecting users at the branch to applications in the cloud in a seamless, secure, and reliable fashion. Cisco delivers this comprehensive capability for SaaS applications with the Cloud onRamp for SaaS solution in alignment with Microsoft’s connectivity principles for Office 365.

With Cloud OnRamp for SaaS, the SD-WAN fabric continuously measures the performance of a designated SaaS application through all permissible paths from a branch and assign a score. This score gives network administrators visibility into application performance that has never before been available. Most importantly, the fabric automatically makes real-time decisions to choose the best-performing path between the end users at a remote branch and the cloud SaaS application. Enterprises have the flexibility to deploy this capability in multiple ways, according to their business needs and security requirements.

In some deployments, enterprises connect remote branches to the SD-WAN fabric using inexpensive broadband Internet circuits, and they want to apply differentiated security policies depending on the type of services users are connecting to.  For example, instead of sending all branch traffic to a secure web gateway (SWG) or cloud access security broker (CASB), an enterprise may wish to enforce their IT security policies in a targeted manner – by routing regular Internet traffic through SWG, while allowing performance optimal direct connectivity for a limited set of sanctioned and trusted SaaS applications, such as Office 365. In such scenarios, Cloud onRamp for SaaS can be set up to dynamically choose the optimal path among multiple ISPs for both applications permitted to go directly and for applications routable per enterprise policy through SWG.

To learn more about Cloud onRamp for Office 365, read our white paper. For more information about Cisco SD-WAN, click here.

If you’re attending Microsoft Ignite in Orlando next week, make sure to visit Cisco at booth #418. I’d love to show you how to improve your Office 365 connectivity and user experience using Cisco SD-WAN.

Continue reading